WEEKLY TOP TEN: March 17, 2025, 16:00 GMT
- Meta Warns of Vulnerability in FreeType
Meta has issued a warning about a critical security vulnerability (CVE-2025-27363) in the FreeType open-source font rendering library, which could allow remote code execution. The flaw, an out-of-bounds write, affects FreeType versions 2.13.0 and earlier, primarily when parsing certain font files. The issue could potentially lead to arbitrary code execution due to a heap buffer being allocated too small.
Although FreeType has addressed the vulnerability in versions released after 2.13.0, many Linux distributions are still using outdated versions, making them vulnerable. Users are urged to update to FreeType 2.13.3 or later for protection. - GitLab Patches Critical Auth Bypass Vulnerabilities
GitLab fixed two critical authentication bypass vulnerabilities (CVE-2025-25291 and CVE-2025-25292) in its Community and Enterprise Editions, caused by flaws in the ruby-saml library used for SAML authentication. Attackers with a valid signed SAML document could impersonate users, leading to potential account takeovers. Updates have been released for affected versions, and self-managed users are advised to update manually. - ObscureBat Loader Used to Deploy R77 Rootkit
A new malware campaign, dubbed OBSCURE#BAT, is using social engineering to distribute an open-source rootkit called r77. The campaign targets English-speaking users, particularly in the US, Canada, Germany, and the UK, by masquerading as legitimate software or fake CAPTCHA scams. Once executed, the malware establishes persistence through obfuscated batch scripts, modifies system registries, and deploys a multi-stage attack with evasive techniques to avoid detection, including using a rootkit to hide files and monitor clipboard activity for exfiltration. - New CryptoJacker Malware Targets Users of Piracy Sites
A new malware campaign called MassJacker is targeting users seeking pirated software by delivering clipper malware that steals cryptocurrency. The malware monitors clipboard content and replaces copied wallet addresses with attacker-controlled ones to reroute funds. Delivered via a malicious site, it uses a complex infection chain involving PowerShell scripts and botnet malware, and incorporates advanced evasion techniques. Over 778,000 unique cryptocurrency wallet addresses have been identified, with about $95,300 stolen so far. - Alleged LockBit Ransomware Developer Extradited to the US
Rostislav Panev, a dual Russian-Israeli national and alleged developer for the LockBit ransomware group, has been extradited to the U.S. after his arrest in Israel in August 2024. Panev, who worked for LockBit from 2019 to 2024, helped develop malware that disabled antivirus software and deployed ransomware, contributing to the gang’s attacks on over 2,500 entities globally, causing over $500 million in illicit profits. He faces charges related to his role in the cybercrime operation, which targeted individuals, businesses, and critical infrastructure worldwide. - Cisco Vulnerability Leads to DoS of BGP Routers
Cisco has patched a high-severity denial of service (DoS) vulnerability (CVE-2025-20115) in its IOS XR routers, which could allow attackers to crash the Border Gateway Protocol (BGP) process with a single crafted BGP update message. The flaw affects devices using BGP confederation, potentially causing memory corruption and a BGP process restart. While no evidence of active exploitation has been found, Cisco recommends upgrading to a fixed release or restricting the BGP AS_CONFED_SEQUENCE attribute to 254 or fewer AS numbers as a temporary workaround. - LockBit Affiliated Group Targets Organizations Using Fortinet Devices
Since January, the threat actor “Mora_001” has been exploiting two Fortinet vulnerabilities (CVE-2024-55591 and CVE-2025-24472) to deploy SuperBlack ransomware, gaining super-admin access to vulnerable FortiOS and FortiProxy devices. Mora_001 is believed to have ties to the LockBit ransomware group due to similarities in post-exploitation patterns and ransom note characteristics. Researchers urge organizations, especially those in the U.S., India, and Brazil, to patch affected systems, restrict management access, and implement layered security controls to mitigate the threat. - North Korean Threat Actors Develop New Android Malware
North Korea-linked APT group ScarCruft (APT37) is behind KoSpy, a previously undetected Android surveillance tool used to target Korean and English-speaking users. The spyware, distributed via fake utility apps like “File Manager” and “Kakao Security,” collects sensitive data such as SMS, calls, location, and files. KoSpy is linked to other North Korean cyber operations, with shared infrastructure and techniques also tied to APT43. Researchers attribute the activity to ScarCruft with medium confidence, based on the overlap in infrastructure and targeting patterns. - US Government Agencies Warn of Increased Number of Medusa Ransomware Attacks
The Cybersecurity and Infrastructure Security Agency (CISA), FBI, and MS-ISAChave issued a #StopRansomware advisory about Medusa ransomware, a variant that has impacted over 300 victims since 2021. Medusa operates as a ransomware-as-a-service (RaaS), with affiliates using phishing and exploiting vulnerabilities to gain access. Developers demand ransoms between $100,000 and $15 million, using double extortion tactics. Experts recommend patching systems, segmenting networks, and adopting an “assumed breach” mindset to enhance defenses. - Coordianted Cyber Attacks Results in Large Numbers of SSRF Attacks
GreyNoise has reported a surge in the exploitation of multiple Server-Side Request Forgery (SSRF) vulnerabilities, with over 400 IPs targeting flaws in platforms like DotNetNuke, Zimbra, VMware, GitLab, and Ivanti. The attacks are coordinated and span several countries, including the US, Germany, and Japan. Exploiting SSRF vulnerabilities can lead to cloud metadata exposure and compromise internal networks.
Users are urged to apply patches, limit outbound connections, and monitor for suspicious activity. Additionally, Grafana path traversal attempts were observed before the SSRF surge, suggesting reconnaissance efforts.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
