March 25, 2025
Cisco Smart Licensing Flaws under Attack: Critical Vulnerabilities Leave Unpatched Systems Exposed
Critical Vulnerabilities in Cisco Smart Licensing Utility (Cve-2024-20439, Cve-2024-20440) are under Active Attack, Putting Unpatched Systems at Risk. Learn How to Protect Your Network Now.
Two critical vulnerabilities in Cisco’s Smart Licensing Utility (versions 2.0.0, 2.1.0, 2.2.0) are under active attack after patches were issued last year. The flaws (CVE-2024-20439 and CVE-2024-20440, both CVSS 9.8) include a hidden admin credential and an overly verbose debug log that leaks credentials, potentially letting attackers log in with full privileges and harvest sensitive API keys. Cisco fixed the issues in September 2024, but systems running unpatched versions remain at risk if the licensing service is active. The SANS Internet Storm Center warns that ongoing exploitation attempts could lead to complete system compromise on vulnerable Cisco servers. Impact: Organizations using Cisco Smart License Utility should update to version 2.3.0 or later immediately to prevent unauthorized admin access and data theft.
Oracle Denies Data Breach Claims After 6M Records Put on Sale
Oracle is refuting a hacker’s claim of breaching its systems and stealing 6 million customer records from its Oracle Cloud identity service. The threat actor “rose87168” released samples (including LDAP info and company lists) and even uploaded a proof-of-access text file to an Oracle Cloud server, alleging they exfiltrated encrypted SSO passwords, keystore files, and other credentials. Oracle told the press “There has been no breach of Oracle Cloud… No Oracle Cloud customers experienced a breach or lost data”. The hacker is attempting to sell the data or trade it for zero-day exploits on a criminal forum. Oracle has not explained how the attacker managed to place a file on an Oracle server if no breach occurred. Impact: If the hacker’s claims are true, the stolen credentials could enable further
intrusions. Oracle’s strong denial suggests either a false claim or a very limited exposure, but customers are on alert pending more details.
intrusions. Oracle’s strong denial suggests either a false claim or a very limited exposure, but customers are on alert pending more details.
Coinbase Targeted in GitHub Supply Chain Attack
Researchers revealed that cryptocurrency exchange Coinbase was the prime target of a sophisticated supply-chain attack on GitHub Actions that compromised continuous integration (CI) workflows. Attackers injected malicious code into a popular open-source GitHub Action (reviewdog/action-setup@v1), causing hundreds of projects’ CI secrets to leak into build logs. Notably, the attackers focused the attack on Coinbase’s repositories: when Coinbase’s agentkit project ran a workflow that pulled the tampered action, it exposed a token that hackers used to push a malicious change into another dependency. Coinbase told investigators the attempt was unsuccessful and caused no damage to their systems or the AgentKit project. Only 218 repositories in total had secrets stolen (out of 23,000 that used the affected action) before GitHub and security teams shut down the campaign. Impact: The incident highlights the dangers of software supply-chain attacks on developer tools. Coinbase’s quick response limited damage, but other organizations are urged to audit CI/CD pipelines and rotate any credentials that might have been exposed.
Malicious Steam Game Demo Infects Players with Info-Stealer
Valve has pulled a game demo from Steam after multiple users reported it contained malware that stole information from their PCs. The demo, for a shooter titled “Sniper: Phantom’s Resolution”, prompted players to download an installer from an off-platform GitHub repository – a red flag since legitimate Steam games don’t require external downloads. Tech-savvy users analyzed the installer and found it included a Windows Defender spoof, privilege escalation tools, a Node.js-based cookie interceptor, and scripts for persistence. In short, running the demo infected players with an info-stealing Trojan. GitHub quickly removed the attacker’s repository, and by Thursday Valve had also banned the game and its developer from Steam. The malicious developer’s own website went offline, and Steam advised anyone who ran the demo to uninstall it and scan their system for malware. Impact: This incident – just a month after a similar malware-laced “game” on Steam (PirateFi) infected up to 1,500 users – underscores the risk of attackers sneaking malware onto trusted platforms. Gamers should exercise caution even on official stores, and Steam is likely to tighten its vetting to prevent repeats.
Phishing Campaign Spoofs Semrush to Hijack Google Accounts
A crafty new phishing and malvertising campaign is targeting digital marketers by impersonating Semrush, a popular SEO and marketing SaaS platform, in order to steal Google account credentials. Fraudsters are placing fake Google Ads for “Semrush” that redirect SEO professionals to a lookalike Semrush login page, tricking them into entering Google login details. According to researchers at Malwarebytes and an SEO firm, the attackers likely aim to compromise victims’ Google Ads and Analytics accounts, which are often linked with Semrush for business insights. This “cascading fraud” approach was seen earlier in the year using fake Google Sites, and the threat group – reportedly based in Brazil – has now switched to abusing the Semrush brand for credibility. By hijacking one professional’s Google account, the attackers can run malicious ads from that account to ensnare even more victims, creating a widening spiral of compromised accounts. Impact: High-value Google accounts (with access to ad campaigns, web analytics, and revenue data) are at stake. Companies are advised to verify they are clicking genuine ads or navigate directly to service URLs, and use multi-factor authentication on Google accounts to mitigate credential theft.
U.S. Lifts Sanctions on Tornado Cash Mixer after Court Ruling
In a significant policy reversal, the U.S. Treasury Department has removed the sanctions on Tornado Cash, an Ethereum coin mixer that had been blacklisted for abetting North Korean hackers. OFAC originally sanctioned Tornado Cash in August 2022, alleging it helped launder over $7 billion in illicit crypto, including $455 million stolen by North Korea’s Lazarus Group from the Axie Infinity/Ronin hack. However, a federal appeals court ruled in November 2024 that sanctioning Tornado Cash (essentially open-source software) exceeded OFAC’s authority. As a result, Treasury announced that it would comply with the ruling and delist Tornado Cash from the sanctions list. The mixer had been a go-to tool for criminals to obscure crypto transactions – beyond the North Korean heists, it was used to launder millions from the Nomad bridge and Harmony Bridge hacks as well. Impact: The desanctioning is a win for crypto privacy advocates and developers, but it raises concerns among law enforcement. North Korea and other threat actors lost a major laundering avenue when Tornado was banned; its return could renew illicit use. The case also sets a precedent limiting the U.S. government’s reach in sanctioning decentralized code platforms, likely influencing how authorities tackle cryptocurrency crime going forward.
Arrests Made in Tap-to-Pay Phishing Fraud Scheme
U.S. authorities announced the first-ever arrests in a new kind of tap-to-pay fraud that bridges online phishing and in-store theft. In Knox County, Tennessee, 11 individuals (all Chinese nationals) were arrested for allegedly using phishing-powered mobile wallets to buy tens of thousands of dollars in gift cards with other people’s credit cards. According to investigators, the group obtained stolen card data by running phishing scams – for example, sending fake texts about postal fees or toll charges to trick victims into entering card info (bypassing cell carriers via email-to-SMS kits). The scammers then loaded that stolen card data into mobile payment apps on Android devices, effectively creating fraudulent Apple Pay/Google Pay wallets. Using a custom Android app, they could make these phones impersonate tap-to-pay cards at retail stores across different states. During the Tennessee operation, police recovered over $23,000 in gift cards bought with the compromised card data. Impact: This scheme shows the evolution of classic card fraud into the mobile era – phished data is turned into contactless payment clones, making detection harder. The busts in Tennessee (and a similar case in Arkansas) suggest law enforcement is catching on, but other cells may still be exploiting this method nationwide. Retailers are advised to train staff to spot suspicious bulk gift card purchases, and consumers should be wary of unsolicited texts asking for payments or personal info.
Israeli “Paragon” Spyware Used Against Journalists and NGOs
A new investigation reveals that advanced spyware developed by Israeli firm Paragon Solutions has been deployed against members of civil society in multiple democracies. On January 31, WhatsApp alerted more than 90 individuals that their devices were targeted by this sophisticated malware, which infects smartphones via messaging apps. Citizen Lab researchers, working with some of the victims, have since detailed how the spyware operates and identified some of the governments behind it. Branded as “Paragon” (no relation to NSO Group’s Pegasus, but similar in capability), the spyware can covertly surveil both Android and iOS devices, extracting messages and turning on cameras/mics without detection. Disturbingly, the clients using Paragon include law enforcement or intelligence agencies in democratic countries, not just authoritarian regimes. One researcher noted, “Real governments are in fact using [this] spyware against... citizens. It’s a crazy time to be alive,” highlighting how even nations with strong rule of law are tempted by such tools. Impact: The discovery of Paragon’s use on journalists and aid workers raises fresh concerns about oversight of cyber-surveillance tech. It underscores a growing trend of mercenary spyware being sold globally and potentially abused, prompting calls for stricter regulation and for potential targets to secure their communications (e.g. using up-to-date devices and enabling safety features like WhatsApp’s alerts for unknown device links).
CISA Red-Team Cuts Spark Concerns for U.S. Cyber Defense
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is grappling with internal turmoil after widespread contract cuts that hit its elite “red team” units. Under a cost-cutting initiative led by Elon Musk – who heads the new Department of Government Efficiency (DOGE) in the current administration – hundreds of DHS cybersecurity contractors were let go in late February, including those supporting CISA’s threat-hunting and red-teaming operations. CISA clarified in a statement that it technically didn’t “lay off” these security experts but simply canceled their contracts, effectively sidelining entire teams that simulate cyberattacks to probe U.S. government and critical infrastructure defenses. The move came amid an administration-wide purge of probationary federal employees (a controversial action later reversed by court order) and budget-driven downsizing at cyber agencies. Security professionals are alarmed – one DHS red-team leader’s LinkedIn post about his contract getting axed drew dozens of recruiters eager to poach the talent. Observers warn that dismantling or pausing CISA’s red teams could create intelligence blind spots, as these teams often discover emerging threats and vulnerabilities that agencies and industry rely on. Impact: Slashing cyber defense programs in the name of efficiency may save money short-term but increases the risk of undetected breaches long-term. Lawmakers and CISA’s leadership are reportedly pushing to restore funding to these operations, noting that any lapse in proactive testing leaves the nation’s networks more exposed to adversaries.
New APT Uncovered Targeting Taiwan’s Infrastructure
Cisco Talos researchers have identified a previously unknown advanced threat actor, UAT-5918, that has been infiltrating critical infrastructure in Taiwan since at least 2023. This group appears focused on long-term espionage: it exploits known (unpatched) vulnerabilities in internet-facing servers to gain an initial foothold, then plants web shells and employs open-source hacking tools to move laterally and harvest credentials and data. UAT-5918 has hit not only government infrastructure but also telecom, IT, academic, and healthcare targets in Taiwan. Investigators believe it’s a nation-state APT motivated by intelligence gathering – the group’s tactics overlap with techniques used by several Chinese state-aligned hacking crews (Volt Typhoon, Flax Typhoon, Tropic Trooper, etc.). Notably, the intrusions emphasize stealth and persistence over destruction: the attackers maintain backdoors for long-term access, potentially siphoning sensitive info for months. Impact: Taiwan has long been in the crosshairs of Chinese cyber-espionage, and the emergence of UAT-5918 shows continued adaptation by threat actors to evade detection. Taiwanese organizations are urged to patch known flaws promptly and look for signs of these post-compromise tools. Given the overlaps with known Chinese operations, this discovery also helps global defenders recognize and attribute similar tactics in their networks.
Unlikely Alliance: Hackers “Head Mare” and “Twelve” Join Forces Against Russia
In an unusual twist, a pair of cybercrime groups are collaborating to attack Russian organizations, according to new findings by Kaspersky Lab. The two threat clusters, codenamed “Head Mare” and “Twelve,” were previously seen as separate actors but now appear to be running joint campaigns against Russian targets. Evidence of the alliance comes from shared infrastructure and tools: Head Mare’s recent attacks have leveraged command-and-control servers that were exclusively used by Twelve in the past, and they’ve started using hacking implants (like the CobInt backdoor) known to be favored by Twelve. Last year, Head Mare was observed exploiting a WinRAR vulnerability (CVE-2023-38831) to gain initial access, then deploying malware and even ransomware (LockBit on Windows, Babuk on Linux/VMware ESXi) on Russian companies for profit. Twelve, meanwhile, has a reputation for more destructive attacks – using off-the-shelf tools to encrypt data and then wiping systems to cripple victims, rather than extort. The convergence of these tactics suggests the groups may be pooling resources or coordinating operations. Impact: Russian entities, including businesses or perhaps government agencies, are facing a compounded threat from this collaboration. It’s somewhat rare to see cyber gangs team up across different modus operandi, especially to hit Russian targets (as many cybercriminals operate from Russia with tacit tolerance). This could signal shifting dynamics – possibly retaliation by pro-Ukraine or other actors – and indicates that even well-resourced threat groups are not beyond forming alliances to achieve their goals. Russian organizations are advised to apply the WinRAR patch from last year and strengthen monitoring for known malware associated with these groups.
Medusa Ransomware Deploys Malicious Driver to Disable Antivirus
Medusa, a ransomware-as-a-service gang active since 2021, has been caught using an unusually aggressive technique to evade endpoint defenses. In a recent incident analyzed by Elastic Security Labs, Medusa operators installed a malicious Windows driver (dubbed “ABYSSWORKER”) on the victim machine as part of the attack chain. This is a classic “bring your own vulnerable driver” (BYOVD) approach: the driver was signed with a stolen digital certificate from a legitimate Chinese hardware vendor but had been revoked due to known security issues. Once loaded, the rogue driver (masquerading as a CrowdStrike Falcon anti-malware driver) effectively shut down the system’s antivirus and EDR (endpoint detection & response) protections, clearing the way for Medusa’s file-encrypting payload to run unhindered. Dozens of samples of this driver, smuol.sys, have appeared on VirusTotal since August 2024, indicating the tactic has been in testing or use for months. All the samples were signed with various compromised certificates from Chinese companies, suggesting the attackers have a supply of leaked certs to rotate through. Impact: This development shows ransomware actors upping their game by adopting tactics more often seen in state-sponsored attacks. A signed driver can bypass a lot of security controls because it appears trustworthy to the OS – until it starts killing processes. Organizations should ensure their devices block known vulnerable or revoked drivers (Microsoft’s Windows driver blocklist can help) and monitor for unusual driver installation activity. The Medusa attack also underlines the importance of having multiple layers of defense; even if EDR is blinded, network monitoring or anomaly detection might catch the attack before data is encrypted.
Sources:
Ongoing Cyber Attacks Exploit Critical Vulnerabilities in Cisco Smart Licensing Utility
Medusa Ransomware Uses Malicious Driver to Disable Anti-Malware with Stolen Certificates
Oracle denies breach after hacker claims theft of 6 million data records
Coinbase was primary target of recent GitHub Actions breaches
Arrests in Tap-to-Pay Scheme Powered by Phishing
Nation-State 'Paragon' Spyware Infections Target Civil Society
What CISA's Red Team Disarray Means for US Cyber Defenses
CISA marks NAKIVO’s critical backup vulnerability as actively exploited
Medusa Ransomware Uses Malicious Driver to Disable Anti-Malware with Stolen Certificates
Oracle denies breach after hacker claims theft of 6 million data records
Coinbase was primary target of recent GitHub Actions breaches
Arrests in Tap-to-Pay Scheme Powered by Phishing
Nation-State 'Paragon' Spyware Infections Target Civil Society
What CISA's Red Team Disarray Means for US Cyber Defenses
CISA marks NAKIVO’s critical backup vulnerability as actively exploited