Weekly Top 10: 04.21.2025: ASUS AiCloud Authentication Bypass, CISA Warns of SonicWall SMA Being Actively Exploited, ‘Mustang Panda’ Employs Four New Attack Tools, and More.

WEEKLY TOP TEN: April 21, 2025, 16:00 GMT

1. ASUS AiCloud Authentication Bypass
   
   ASUS has issued a warning about a critical authentication bypass vulnerability, identified as CVE-2025-2492, affecting routers with the AiCloud feature enabled. This flaw allows unauthenticated remote attackers to execute unauthorized functions on the device by sending specially crafted requests. The vulnerability impacts multiple ASUS router models across various firmware versions, including the 3.0.0.4_382, 3.0.0.4_386, 3.0.0.4_388, and 3.0.0.6_102 series. ASUS has released firmware updates to address this issue in their latest firmware versions for each router affected.
2. Windows NTLM Hash Leak Flaw Actively Exploited
   
   ​A critical Windows vulnerability, tracked as CVE-2025-24054, was seen by Check Point being actively exploited in phishing campaigns targeting government agencies and private organizations. The flaw allows attackers to steal NTLM authentication hashes by tricking users into opening specially crafted .library-ms files, which automatically connect to attacker-controlled SMB servers, leaking the hashes without user interaction. Organizations are advised to block outbound SMB connections, restrict NTLM usage, implement email filtering to mitigate such attacks, and ensure their systems are on the most recent patch.
3. China-Linked Threat Group Infects European Networks with Brickstorm Backdoor
   
   A China-linked cyber espionage group, UNC5221, has been seen deploying new Windows-based variants of the Brickstorm backdoor to infiltrate critical infrastructure networks across Europe. Originally observed by Mandiant on Linux servers running VMware vCenter, Brickstorm has evolved to target Windows environments, enabling attackers to browse file systems, manipulate files and folders, and perform network tunneling for lateral movement. Researchers at Belgian cybersecurity firm Nviso discovered these Windows variants during incident response engagements, noting that the malware has been in use since at least 2022 and remained undetected until recently.
4. New Ransomware Threat Group “CrazyHunter” Targets Taiwanese Organizations
   
   A new ransomware group known as “CrazyHunter” was discovered by Trend Micro targeting critical sectors in Taiwan, including healthcare and education. This group has been active for about a month and employs sophisticated techniques such as “bring your own vulnerable driver” (BYOVD) attacks to bypass security measures. “CrazyHunter” utilizes open-source tools like the Prince Ransomware Builder and ZammoCide, a process-killing utility, to facilitate their operations. “CrazyHunter” has publicly claimed responsibility for attacks on ten Taiwanese organizations so far.
5. CISA Warns of SonicWall SMA Being Actively Exploited
   
   ​The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding the active exploitation of a remote code execution vulnerability, CVE-2021-20035, in SonicWall Secure Mobile Access (SMA) i100 series appliances. This flaw affects devices including SMA 200, 210, 400, 410, and 500v (across ESX, KVM, AWS, and Azure platforms), allowing remote, low-privileged attackers to execute arbitrary commands via the management interface. Initially patched in September 2021 and considered a denial-of-service issue, SonicWall has now updated its advisory to reflect active exploitation and elevated the CVSS severity score to 7.2.
6. Midnight Blizzard Deploys new ‘GrapeLoader’ Malware in Phishing Campaign
   
   According to Check Point Researchers the Russian state-sponsored espionage group Midnight Blizzard has launched a spear-phishing campaign targeting European diplomatic entities, including embassies. Initiated in January 2025, the campaign involves emails masquerading as invitations to wine-tasting events from spoofed Ministry of Foreign Affairs addresses. These emails contain links that, upon meeting certain conditions, download a ZIP archive named ‘wine.zip’. This archive includes a legitimate PowerPoint executable, a necessary DLL, and a new variant of the ‘WineLoader’ backdoor called ‘GrapeLoader’. This new variant employs DLL sideloading to execute, collecting host information, modifying the Windows Registry for persistence, and contacting a command-and-control server to receive and execute shellcode in memory.
7. New Global Phishing Campaign Seen Deploying New Remote Access Trojan
   
   ​Researchers from Morphisec discovered a new remote access Trojan (RAT) named “Resolver RAT” being deployed in global phishing campaigns, targeting sectors such as healthcare and pharmaceuticals. The campaigns utilize phishing emails in multiple languages, including Hindi, Indonesian, Czech, Italian, Portuguese, and Turkish, often referencing urgent legal matters like copyright infringement to entice victims. Upon engagement, the attack leverages DLL sideloading through a vulnerable Haihaisoft PDF Reader binary (hpreader.exe) to deliver Resolver RAT.
8. ‘Mustang Panda’ Employs Four New Attack Tools
   
   ​Chinese state-sponsored threat actor Mustang Panda has expanded its cyber-espionage toolkit with four newly identified malware tools: two keyloggers named ‘PAKLOG’ and ‘COXPLUG’, a lateral movement utility called ‘StarProxy’, and endpoint detection and response (EDR) evasion driver known as ‘SplatCloak’. These tools were uncovered by Zscaler during a recent attack on an organization based in Myanmar. These new malware components are designed to enhance Mustang Panda’s capabilities in credential theft, stealthy network traversal, and evasion of security defenses.
9. Critical Flaw in Apache Roller Allows Retain Unauthorized Access
   
   ​A critical session management vulnerability in Apache Roller, tracked as CVE-2025-24859 with a CVSS score of 10.0, allows attackers to maintain unauthorized access even after a user’s password is changed. This flaw affects all versions up to and including 6.1.4, where active user sessions are not properly invalidated upon password changes, enabling continued access through existing sessions if credentials were previously compromised. Apache addressed the issue in version 6.1.5 by implementing centralized session management that correctly terminates all active sessions when passwords are changed or users are disabled.
10. Erlang/Open Telecom Platform (OTP) SSH Critical Vulnerability Allows Unauthenticated Code Execution
    
    ​A critical vulnerability in the Erlang/Open Telecom Platform (OTP) SSH implementation, identified as CVE-2025-32433 with a CVSS score of 10.0, allows unauthenticated attackers with network access to execute arbitrary code on affected servers. The flaw arises from improper handling of SSH protocol messages, enabling attackers to send connection protocol messages before authentication. This vulnerability has been patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20.