Daily News Update

Daily News Update: Friday, March 14, 2025 (Australia/Melbourne)

Opalsec

Opalsec

10 min read
Daily News Update: Friday, March 14, 2025 (Australia/Melbourne)

This post is an AI-generated summary of News Articles from a handful of publications over the last 24 hours. No credit is taken for the contents of said articles or the accuracy thereof.

audio-thumbnail
Audio Summary: Friday, March 14, 2025 (Australia/Melbourne)
0:00
/212.856

Chinese Cyber Espionage Targeting Juniper Routers

Chinese Cyber Espionage Targeting Juniper Routers

An espionage group operating out of China, dubbed UNC3886, is targeting routers made by Juniper Networks. Mandiant researchers found that UNC3886 deployed custom backdoors on Junos OS routers, focusing on defense, technology, and telecommunication organizations in the US and Asia.

The affected routers were running end-of-life hardware and software. The malware deployed demonstrates in-depth knowledge of advanced system internals. The goal of the campaign is to gather and use legitimate credentials to move laterally within a network, undetected, maintaining long-term access to victim networks.

Six custom-made versions of the Tinyshell backdoor were observed operating on Juniper Networks’ Junos OS routers. The attackers tailored the malware for Junos OS, including features not previously seen in other campaigns.

Compromise of routing devices grants long-term, high-level access to crucial routing infrastructure, with potential for more disruptive actions in the future.

Mandiant suggests organizations running Juniper MX routers with end-of-life hardware and software upgrade their devices.

“UNC3886 continues to show a deep understanding of the underlying technology of the appliances being targeted,” - Mandiant

The Record | "China continues cyberattacks on routers, this time targeting Juniper Networks devices"

Lazarus Group Targeting Devs with Malicious npm Packages

Lazarus Group's Malicious npm Packages

The Lazarus Group, a North Korea-linked threat group, has planted six new malicious packages in the npm registry. These packages contain BeaverTail malware, designed to install backdoors and steal credentials and data from cryptocurrency wallets.

The malicious packages include is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator. These packages mimic the names of trusted libraries, employing typosquatting tactics. The Lazarus Group also created GitHub repositories for five of the packages to lend an appearance of open-source legitimacy.

The BeaverTail malware collects system environment details and extracts sensitive login files and keychain archives, targeting cryptocurrency wallets by extracting id.json from Solana and exodus.wallet from Exodus. The stolen data is then uploaded to a hardcoded C2 server.

GitHub has removed all six malicious packages.

“The six new packages — collectively downloaded over 330 times — closely mimic the names of widely trusted libraries, employing a well-known typosquatting tactic used by Lazarus-linked threat actors to deceive developers,” - Kirill Boychenko, threat intelligence analyst at Socket

CyberScoop | "Lazarus Group deceives developers with 6 new malicious npm packages"

Medusa Ransomware Affiliate's Triple Extortion Scam

Medusa Ransomware Affiliate's Triple Extortion Scam

A Medusa ransomware affiliate attempted a triple extortion scam, demanding three payments instead of the usual two. A joint advisory by the FBI, CISA, and the MS-ISAC highlights that Medusa is a ransomware-as-a-service (RaaS) operation that recruits third-party affiliates to plant ransomware and negotiate with victims.

These affiliates often attack with credential-stealing phishing campaigns or by exploiting unpatched software bugs, such as CVE-2024-1709 (ConnectWise ScreenConnect authentication bypass) and CVE-2023-48788 (Fortinet EMS SQL injection vulnerability).

Medusa actors use a double extortion strategy, demanding payments to decrypt data and prevent its release. One Medusa actor contacted a victim after they paid the ransom, claiming the negotiator had stolen the payment and requesting half of the payment again for the "true decryptor," indicating a potential triple extortion scheme.

As of February 2025, Medusa has claimed at least 300 victims across critical infrastructure sectors. The group has also been spotted using Mimikatz for credential dumping and Rclone for data exfiltration. The advisory recommends storing multiple copies of sensitive data in an air-gapped location and using network segmentation to prevent lateral movement.

“FBI investigations identified that after paying the ransom, one victim was contacted by a separate Medusa actor who claimed the negotiator had stolen the ransom amount already paid,” - FBI, CISA, and the MS-ISAC

The Register | "Medusa ransomware affiliate tried triple extortion scam – up from the usual double demand"

Juniper Patches Bug Exploited by Chinese Cyberspies

Juniper Networks has released emergency security updates to patch a Junos OS vulnerability (CVE-2025-21590) exploited by Chinese hackers to backdoor routers for stealthy access.

The medium severity flaw is caused by an improper isolation or compartmentalization weakness. Successful exploitation lets local attackers with high privileges execute arbitrary code on vulnerable routers to compromise the devices' integrity.

The vulnerability impacts NFX-Series, Virtual SRX, SRX-Series Branch, SRX-Series HE, EX-Series, QFX-Series, ACX, and MX-Series devices. CISA has added CVE-2025-21590 to its catalog of actively exploited vulnerabilities, ordering Federal Civilian Executive Branch (FCEB) agencies to secure vulnerable Juniper devices by April 3rd.

Mandiant reported that Chinese hackers have exploited the security flaw since 2024 to backdoor vulnerable Juniper routers that reached end-of-life (EoL). The Chinese-nexus espionage group, UNC3886, deployed six backdoors with distinct C2 communication methods and a separate set of hardcoded C2 server addresses.

"At least one instance of malicious exploitation (not at Amazon) has been reported to the Juniper SIRT. Customers are encouraged to upgrade to a fixed release as soon as it's available and in the meantime take steps to mitigate this vulnerability," - Juniper

Bleeping Computer | "Juniper patches bug that let Chinese cyberspies backdoor routers"

GitLab Patches Critical Authentication Bypass Vulnerabilities

GitLab has released security updates for Community Edition (CE) and Enterprise Edition (EE), fixing nine vulnerabilities, including two critical severity ruby-saml library authentication bypass flaws (CVE-2025-25291 and CVE-2025-25292).

These vulnerabilities allow an authenticated attacker with access to a valid signed SAML document to impersonate another user within the same SAML Identity Provider (IdP) environment.

The flaws were addressed in GitLab CE/EE versions 17.7.7, 17.8.5, and 17.9.2. GitHub discovered the ruby-saml bugs. GitLab also fixed a high-severity remote code execution issue (CVE-2025-27407) that allows an attacker-controlled authenticated user to exploit the Direct Transfer feature to achieve remote code execution.

GitLab users who cannot upgrade immediately are advised to enable 2FA for all users, disable the SAML two-factor bypass option, and request admin approval for auto-created users.

"We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible," - GitLab bulletin

Bleeping Computer | "GitLab patches critical authentication bypass vulnerabilities"

Vulnerability in Ubiquitous FreeType Library Exploited

Hacker

Facebook has issued a warning regarding a vulnerability in the FreeType library, a widely used open-source font rendering library.

The vulnerability, tracked as CVE-2025-27363, affects all versions up to 2.13 and can lead to arbitrary code execution. It was patched in FreeType version 2.13.0 on February 9th, 2023.

The vulnerability involves an out-of-bounds write when parsing font subglyph structures related to TrueType GX and variable font files. This can result in a heap buffer being allocated too small, leading to arbitrary code execution.

Given FreeType's widespread use across various platforms, including Linux, Android, and game engines, it is crucial for developers and administrators to upgrade to FreeType 2.13.3 as soon as possible.

Bleeping Computer | "Facebook discloses FreeType 2 flaw exploited in attacks"

Red Report 2025: Credential Theft Spike and AI Hype Debunked

The Red Report 2025 by Picus Labs reveals a threefold increase in malware targeting credential stores, jumping from 8% in 2023 to 25% in 2024. Stealing credentials from password stores (MITRE ATT&CK technique T1555) broke into the top 10 most-used attacker techniques.

The report highlights that 93% of malware includes at least one of the top ten MITRE ATT&CK techniques. Common techniques include process injection (T1055) and command and scripting interpreter (T1059).

The report introduces "SneakThief," a new breed of information-stealing malware that executes multi-stage, precision attacks. Despite the hype around AI-driven attacks, Picus Labs found no evidence that cybercriminals deployed novel AI-driven malware in 2024.

The report suggests that organizations should focus on reinforcing fundamentals and continuously testing and aligning their security controls to the tactics attackers are currently using.

"Cybercriminals have turned password theft into a booming enterprise... the dark allure of AI in malware remains more myth than reality." - Picus Labs, Red Report 2025

Bleeping Computer | "Red Report 2025: Unmasking a 3X Spike in Credential Theft and Debunking the AI Hype"

Ukraine Seeks to Bolster Offensive Cyber Capabilities

Ukraine Seeks to Bolster Offensive Cyber Capabilities

Ukraine's cybersecurity officials are emphasizing the urgent need to enhance the country’s offensive cyber capabilities in response to escalating threats from Russia. Serhii Demediuk, deputy secretary of Ukraine’s National Security and Defense Council, stated that Ukraine is working on strengthening its offensive capacity and is encouraging its European partners to join these efforts.

He distinguished between offensive cyberattacks and active cyber defense, suggesting that offensive operations should shift from the military to law enforcement agencies to combat cybercrime.

Legal hurdles remain a significant obstacle in the proactive disruption of cyber threats, particularly when it comes to attribution and defining the roles and responsibilities of civilian agencies versus the military.

Natalia Tkachuk, head of cyber and information security at Ukraine’s National Security and Defense Council, highlighted that Europe needs to be ready for increased cyber operations and information warfare, regardless of the outcome of ceasefire talks.

“Defending ourselves is a thing of the past. We won’t be able to defend forever — we have to either fight back or run,” - Serhii Demediuk, deputy secretary of Ukraine’s National Security and Defense Council

The Record | "Ukraine seeks to bolster offensive cyber capabilities amid rising threats from Russia"

Ukraine's Cyber Conference: Europe Takes Center Stage

Ukraine's Cyber Conference: Europe Takes Center Stage

Ukraine’s major annual cybersecurity conference, the Kyiv International Cyber Resilience Forum, saw a shift in focus this year, with Europe taking center stage over the US. Unlike last year, no Trump administration officials attended the conference amid geopolitical tensions.

While U.S.-based private tech companies like Google, Cloudflare, CrowdStrike, and Fortinet were named as conference partners, the stage was predominantly occupied by officials from the EU and European private cybersecurity firms. Anton Demokhin, Ukrainian Deputy Foreign Minister, noted that the absence of American speakers reflects the U.S. position at this particular moment.

Oleksandr Potii, chairman of Ukraine’s State Service of Special Communications and Information Protection (SSCIP), signed a memorandum of understanding with Luca Tagliaretti, the executive director of the European Cybersecurity Competence Centre (ECCC) to exchange information and expertise.

“When we talk about international partnerships today, it can’t just be about joint exercises, knowledge sharing, or academic projects. We need to start a conversation about building a collective European cybersecurity framework,” - Natalia Tkachuk, head of cyber and information security at Ukraine’s National Security and Defense Council

The Record | "At Ukraine’s major cyber conference, Europe takes center stage over US"

UK Secret Apple Encryption Court Hearing

UK Secret Apple Encryption Court Hearing

Politicians and civil society groups in the United Kingdom are calling for a secret court hearing regarding the British government’s encryption demands on Apple to be held in public.

The hearing, set to take place behind closed doors, follows Apple's decision to turn off the option for British users to protect their iCloud accounts with end-to-end encryption, reportedly due to a legal order from the British government requiring access to encrypted iCloud accounts.

A joint letter to Lord Justice Singh from British civil liberties groups argues that opening the hearing to the public would not prejudice national security and is in the public interest. Politicians from opposition parties have also called for more transparency from the Home Office.

“There is significant public interest in knowing when and on what basis the UK government believes that it can compel a private company to undermine the privacy and security of its customers,” - British civil liberties groups

The Record | "Calls grow for UK to move secret Apple encryption court hearing to public session"

Legislative Push for Child Online Safety vs. Encryption

Legislative Push for Child Online Safety vs. Encryption

The Stop CSAM Act, proposed by Sens. Josh Hawley and Dick Durbin, aims to mandate tech companies to swiftly report and remove child sexual abuse material (CSAM) from their platforms. Critics warn that this could weaken or eliminate encrypted messaging services. The bill seeks to alter Section 230 of the Communications Decency Act, allowing victims to file civil lawsuits against companies that fail to remove CSAM content promptly.

Michelle DeLaune, CEO of the National Center for Missing and Exploited Children, supports the bill, citing a significant drop in CSAM reports. Digital rights groups oppose the bill, arguing that tech companies are already legally required to address known instances of CSAM and that there is no technical solution to access encrypted communications without weakening encryption for all users.

Apple previously discontinued end-to-end encryption services in the UK in response to government requests for law enforcement access to encrypted iCloud accounts.

"We’re very concerned that if this bill passes, the platforms’ reaction will be, ‘if we’re going to be held liable for content we don’t know about, we can’t offer encrypted services, because it’s not worth the risk for us.’" - Jenna Leventoff, senior policy counsel at the American Civil Liberties Union

CyberScoop | Legislative push for child online safety runs afoul of encryption advocates (again)

Metadata

  • Key Organisations and Individuals:
    • Facebook
    • Sens. Josh Hawley and Dick Durbin
    • Michelle DeLaune (CEO, National Center for Missing and Exploited Children)
    • American Civil Liberties Union (Jenna Leventoff)
    • Apple
    • Lazarus Group
    • Socket (Kirill Boychenko, Feross Aboukhadijeh)
    • Juniper Networks
    • Mandiant (Austin Larsen, Sandra Joyce)
    • FBI
    • CISA
    • MS-ISAC
    • HCRG Care Group
    • Gateshead Council
    • Symantec
    • Picus Labs
    • Serhii Demediuk (Ukraine’s National Security and Defense Council)
    • Natalia Tkachuk (Ukraine’s National Security and Defense Council)
    • International Institute for Strategic Studies (Charlie Edwards)
    • Oleksandr Potii (Ukraine’s State Service of Special Communications and Information Protection (SSCIP))
    • Luca Tagliaretti (European Cybersecurity Competence Centre (ECCC))
    • David Davis (Conservative Party politician)
    • GitHub
    • Amazon (Matteo Memelli)
    • Black Lotus Labs
  • Technical Terms:
    • FreeType
    • CVE-2025-27363
    • CSAM (Child Sexual Abuse Material)
    • Section 230
    • Encryption
    • npm
    • BeaverTail malware
    • Typosquatting
    • C2 Server
    • Junos OS
    • UNC3886
    • Tinyshell backdoor
    • CVE-2025-21590
    • J-magic malware
    • SeaSpy backdoor
    • Ransomware
    • Medusa ransomware
    • RaaS (Ransomware-as-a-Service)
    • IABs (Initial Access Brokers)
    • CVE-2024-1709
    • CVE-2023-48788
    • Mimikatz
    • Rclone
    • MITRE ATT&CK
    • Process Injection (T1055)
    • Command and Scripting Interpreter (T1059)
    • Credential Theft (T1555)
    • SneakThief malware
    • Adversarial Exposure Validation
    • Breach and Attack Simulation
    • SAML
    • 2FA
  • Countries:
    • United States
    • Ukraine
    • Russia
    • United Kingdom
    • China
    • North Korea
  • Industry Verticals:
    • Technology
    • Cybersecurity
    • Government
    • Healthcare
    • Education
    • Legal
    • Insurance
    • Manufacturing
    • Telecommunications

Read more